Network Security, Patch/Configuration Management, Threat Management, Vulnerability Management

SirenJack flaw exposes problems in emergency alert system

Security researchers have found a flaw in the alert warning siren system used by many local authorities.

According to a report released by security firm Bastille Networks, the vulnerability, it called “SirenJack”, could allow a hacker to broadcast false alarms, potentially affecting millions of people.

The flaw effects warning sirens developed by ATI Systems and is deployed in multiple locations around the world. ATI customers include the City of San Francisco, other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants.

In the US these emergency alert systems are implemented at the One World Trade Center, Indian Point Energy Center nuclear power stations, UMass Amherst, and the West Point Military Academy.

The SirenJack vulnerability can be exploited remotely via radio frequencies to activate all the sirens at will and trigger false alarms with the attendant chaos and panic. Security researchers found that an unencrypted and therefore insecure radio protocol controls the ATI sirens it monitored. This unencrypted protocol allows a bad actor, which could be an individual, hacktivist, terrorist, or hostile nation state, to find the radio frequency assigned to a system, craft malicious activation messages, and transmit them from their own radio to set off the system.

“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO, Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We're now disclosing SirenJack publicly to allow ATI Systems' users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”

Balint Seeber, director of vulnerability research at the company began the SirenJack investigation in 2016 in San Francisco, after noticing that the city's Outdoor Public Warning System used RF communications. Upon further analysis of the radio protocol, he determined that the commands were not encrypted, and that the system was therefore vulnerable to forgery of system commands and malicious activation.

False alarms result in needless panic and concern, as well as increasing distrust in these systems, as seen in the 2017 Dallas siren hacking incident that set off over 150 emergency sirens citywide for more than 90 minutes. In 2018, the emergency alerting system in Hawaii was triggered by human error, and the population was erroneously panicked.

“During emergencies, cell tower-based public alert systems have been shown to fail. Many citizens have ‘cut the cord' and cannot be contacted via a reverse 911-phone system. Consequently, warning sirens play a crucial role as they are the only truly reliable method to alert a population en-mass of a public safety event,” said Seeber. “The SirenJack vulnerability underscores the need to make emergency alert systems stronger than ever, as hackers are constantly probing critical infrastructure, especially those using insecure RF-based protocols, to infiltrate and carry out potential attacks.”

In a statement released by ATI on Tuesday, it said: “ATI has created a patch which adds additional security features to the command packets sent over the radio. This is currently being tested and will be rolled out shortly. However, ATI sirens are not mass-market consumer items connected to the internet where you simply download a patch.”

Adam Brown, manager of security solutions of Synopsys, told SC Media UK that iIt's not surprising that national infrastructure like this, built many years ago was not designed with an attack scenario like this in mind. “Now that software defined radio is readily available and highly capable (radio's like the Chinese Boafeng radio used in Bastilles video are only US$ 20 (£14) a piece), equipment is no longer the barrier it was in the past for attackers to pull off their pranks,” he said.
Joseph Carson, chief security scientist at Thycotic, told SC Media UK that the only way such attacks can be stopped is to ensure the equipment is patched accordingly, access controls are restricted using privileged access solutions and that they are configured correctly with appropriate security controls. 

“It is also possible to monitor for illegal radio transmission or alert on potential threats,” he said.

He added that it is unlikely that nations states would trigger such a cyber-attack unless an actual war is pending or imminent. “It is more likely to be used for disruption or political hacktivism,” said Carson.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.